Even before the pandemic, many businesses were trying to understand and manage the various security and compliance risks, including regulatory compliance risks, posed by platforms and applications that enable virtual team collaboration. COVID-19 disruption intensified that focus exponentially, as these platforms and apps went from novel to necessity for countless companies whose workforces became all or partially remote, almost overnight.
Healthcare organizations have been especially concerned about how adopting apps for hosting audio and video conferences, communicating via group chat, collaborating on files, and more might impact their ability to safeguard patients’ protected health information (PHI) and stay in compliance with HIPAA: the Health Insurance Portability and Accountability Act. HIPAA is a series of federal regulatory standards that requires companies that handle PHI to have physical, network, and process security measures in place—and to follow them.
Healthcare organizations use separate secure messaging systems for patient communications. These systems are designed to protect sensitive PHI within these communications. Still, employees can inadvertently share and misuse PHI internal communications platforms like Microsoft Teams. Therefore, many healthcare organizations have found that they need to capture, monitor, and retain such communications. By doing so, they can identify risky behaviors quickly and respond to investigations or audits as needed.
One specific question many healthcare businesses are weighing right now is this: “Is Microsoft Teams HIPAA compliant?” The unified business communication platform is top of mind for these organizations because its use has skyrocketed during the pandemic. In late October 2020, Microsoft CEO Satya Nadella reported during an earnings call with investors that Microsoft Teams had 115 million daily active users—up from 44 million in March.
Microsoft Teams helps enhance workforce productivity, and it can integrate with many apps and other programs. For healthcare organizations, the data sharing these integrations enable can include PHI, which creates compliance risk. If your organization is among the HIPAA-covered businesses looking to adopt Microsoft Teams, here are three things to keep in mind about using the platform and staying in compliance with HIPAA:
1. You can configure Microsoft Teams to support HIPAA security and privacy requirements
So, is Teams HIPAA compliant? According to Microsoft, the Microsoft Teams platform, built on the Microsoft 365 cloud, helps enable HIPAA compliance. Organizations can configure Microsoft Teams to support HIPAA security and privacy requirements.
In a recent white paper about HIPAA compliance and Microsoft Teams, Microsoft explained that it built all of its cloud apps and networks following its own Trusted Cloud principles for security, privacy, and compliance. And, by doing so, it had achieved compliance with the HIPAA Security Rule. Key elements of that rule for “covered entities”—organizations that must follow HIPAA regulations—include:
- Ensuring the confidentiality, integrity, and availability of all electronic PHI
- Detecting and safeguarding against anticipated threats to the security of the information
- Protecting against anticipated, impermissible uses or disclosures
- Certifying compliance by their workforce
Microsoft’s white paper outlines in detail how to use Office 365 and Microsoft Teams to achieve compliance for each aspect of the HIPAA Security Rule. The document also warns that incorrect configuration of systems like Office 365 could violate certain laws and may lead to HIPAA noncompliance. One of those laws relates to business associate agreements.
2. Signing a BAA is a critical step to enabling Microsoft Teams HIPAA compliance
Before a HIPAA-covered organization makes Microsoft Teams available to its workforce, it will need to enter into a business associate agreement with Microsoft. Why? HIPAA regulations require that covered entities and their business associates enter contracts to ensure the latter will adequately protect PHI. Microsoft is considered a business associate because it provides services to covered entities.
As Microsoft explains on its website, business associate agreements, also referred to as BAA, “clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act.” (You can access Microsoft’s HIPAA Business Associate Agreement here.)
Once a signed BAA is in place, HIPAA-covered entities can use Microsoft’s services to process and store PHI—and Microsoft Teams can be considered a HIPAA-complaint platform for collaboration. However, there is a “but” to this statement, as explained below.
3. It’s down to covered entities to ensure their use of Microsoft Teams complies with HIPAA
Demonstrating appropriate IT-related internal controls for mitigating fraud and risk is essential to meeting HIPAA compliance. When it comes to using Microsoft Teams, covered entities will need to take steps to ensure their use of the collaboration platform meets HIPAA requirements. That’s the only way they can confidently answer the question: “Is our use of Microsoft Teams HIPAA compliant?”
Covered entities are responsible for ensuring they have the proper controls and reporting mechanisms in place to protect PHI, and that they are appropriately configured and activated. That includes making good use of the various safeguards available in the Microsoft Teams platform, such as:
- User access controls (Note: HIPAA’s first Technical Safeguard is “Access Control”; a covered entity must implement technical policies and procedures that allow only authorized persons to access electronic PHI.)
- Modern authentication processes like multi-factor authentication (MFA) and single sign-on (SSO)
- Encryption of data in transit and at rest
- Audit logs for tracking and investigating specific activities
Beyond these safeguards, consider how you’ll gain visibility into the actual content of Microsoft Teams communications. Do you have a way to identify misuse of PHI or other protected information in Teams conversations? Can you access and search historical communications in the case of an investigation or audit?
To strengthen record keeping and compliance efforts, businesses may want to consider using tools such as Proofpoint Content Capture tools that make it easy to capture, manage, and retain data from Microsoft Teams and other collaboration platforms and content sources.
To find out more about how Proofpoint helps healthcare businesses meet the challenge of today’s advanced threats and compliance risks on our Healthcare Cybersecurity page.